time measurement threatens privacy friendly rfid
play

Time Measurement Threatens Privacy-Friendly RFID Authentication - PowerPoint PPT Presentation

Dec 04, 2023 •362 likes •605 views

Time Measurement Threatens Privacy-Friendly RFID Authentication Protocols Gildas Avoine 1 , Iwen Coisel 2 and Tania Martin 1 1: Information Security Group - Universit e Catholique de Louvain 2: Crypto Group - Universit e Catholique de

  1. Time Measurement Threatens Privacy-Friendly RFID Authentication Protocols Gildas Avoine 1 , Iwen Coisel 2 and Tania Martin 1 1: Information Security Group - Universit´ e Catholique de Louvain 2: Crypto Group - Universit´ e Catholique de Louvain RFIDSec 2010 UCL Crypto Group Avoine - Coisel - Martin Time Measurement - RFIDSec 2010 1 Microelectronics Laboratory

  2. The Privacy of an RFID Authentication Scheme ◮ Interest relative to the application ◮ not really necessary in inventory management ◮ essential in passport context to protect user’s identity and also to prevent anybody to trace him ◮ Lots of sensitive applications ◮ medical supplies ◮ transport cards ◮ luxury items ◮ ... ⇒ Real necessity of a privacy analysis We here focus on traceability UCL Crypto Group Avoine - Coisel - Martin Time Measurement - RFIDSec 2010 2 Microelectronics Laboratory

  3. Privacy vs Time Measurement Several privacy models exist [A05,JW07,LBM07,V07,CCG10] ◮ Juels and Weis : possible to know the result of a protocol ◮ Vaudenay : tags are not necessary in the adversary’s field How long it takes to a reader to identify a tag ? None of them It’s not (only) an implementation issue UCL Crypto Group Avoine - Coisel - Martin Time Measurement - RFIDSec 2010 3 Microelectronics Laboratory

  4. Privacy vs Time Measurement Several privacy models exist [A05,JW07,LBM07,V07,CCG10] ◮ Juels and Weis : possible to know the result of a protocol ◮ Vaudenay : tags are not necessary in the adversary’s field How long it takes to a reader to identify a tag ? None of them It’s not (only) an implementation issue Contributions : ◮ Point out this threatens ◮ Formalize it ◮ Attacks some protocols ◮ Present some countermeasures UCL Crypto Group Avoine - Coisel - Martin Time Measurement - RFIDSec 2010 3 Microelectronics Laboratory

  5. Outline 1 � Modelling Privacy 2 � Time-Attack on Some Existing Schemes 3 � Countermeasures 4 � Conclusion UCL Crypto Group Avoine - Coisel - Martin Time Measurement - RFIDSec 2010 4 Microelectronics Laboratory

  6. Outline 1 � Modelling Privacy 2 � Time-Attack on Some Existing Schemes 3 � Countermeasures 4 � Conclusion UCL Crypto Group Avoine - Coisel - Martin Time Measurement - RFIDSec 2010 5 Microelectronics Laboratory

  7. Vaudenay’s Model [Vau07] List of oracles given to an adversary A ◮ CreateTag : adds a new legitimate tag. ◮ DrawTag : tag enters in the adversary’s field ◮ Free : tags goes out of the adversary’s field ◮ Execute : returns transcripts. ◮ Launch ◮ SendTag ◮ SendReader ◮ Result ◮ Corrupt : returns tag’s key set. UCL Crypto Group Avoine - Coisel - Martin Time Measurement - RFIDSec 2010 6 Microelectronics Laboratory

  8. Vaudenay’s Model [Vau07] Considering the Corrupt oracle, 3 adversary’s ability : ◮ WEAK : no Corrupt allowed ◮ FORWARD : Corrupt “stops” the system ◮ STRONG : Corrupt has no effect Considering the Result oracle, 2 adversary’s ability : ◮ NARROW : no Result allowed Adversary classes ordered by power P STRONG ⇒ FORWARD ⇒ WEAK ⇓ ⇓ ⇓ N-STRONG ⇒ N-FORWARD ⇒ N-WEAK UCL Crypto Group Avoine - Coisel - Martin Time Measurement - RFIDSec 2010 7 Microelectronics Laboratory

  9. Vaudenay’s Model [Vau07] Experiment of A 1. A interacts with the whole system 2. A submits an hypothesis 3. A obtains Tab and returns 0/1 The protocol is said P -private if A sim has the same success probability as A : | Pr [ A → 1] − Pr [ A sim → 1] | < ǫ ( k ) STRONG ⇒ FORWARD ⇒ WEAK ⇓ ⇓ ⇓ N-STRONG ⇒ N-FORWARD ⇒ N-WEAK UCL Crypto Group Avoine - Coisel - Martin Time Measurement - RFIDSec 2010 8 Microelectronics Laboratory

  10. Time-Privacy To capture the time notion in an authentication protocol ◮ Timer : outputs the time δ taken by the reader for its overall computations during a given protocol instance Possible to define the TIMEFUL-Privacy ◮ Adds a new ability ⇒ more powerful ◮ At each level X ∈ { STRONG, FORWARD, WEAK } : TIMEFUL- X ⇒ X ⇓ ⇓ TIMEFUL-NARROW- X ⇒ NARROW- X UCL Crypto Group Avoine - Coisel - Martin Time Measurement - RFIDSec 2010 9 Microelectronics Laboratory

  11. Outline 1 � Modelling Privacy 2 � Time-Attack on Some Existing Schemes 3 � Countermeasures 4 � Conclusion UCL Crypto Group Avoine - Coisel - Martin Time Measurement - RFIDSec 2010 10 Microelectronics Laboratory

  12. Context of the Study Several key infrastructures possible secret-key public-key master X Yes particular Yes Yes Considering Vaudenay’s generic scheme [Vau07] ◮ Authentication : encryption of ID|| K || a ◮ Verification : decryption of the message + authenticity of K ⇒ constant-time authentication Particular secret-key infrastructure ◮ Each tag owns a particular secret-key ◮ The reader does not know which key to use ⇒ SearchID procedure UCL Crypto Group Avoine - Coisel - Martin Time Measurement - RFIDSec 2010 11 Microelectronics Laboratory

  13. WSRE Protocol Protocol proposed by Weis, Sarma, Rivest and Engels [WSRE03] ◮ Each tag owns a secret key sk ID ; ◮ f is a pseudo-random function ; SearchID procedure : brute-force search UCL Crypto Group Avoine - Coisel - Martin Time Measurement - RFIDSec 2010 12 Microelectronics Laboratory

  14. WSRE Protocol Protocol proposed by Weis, Sarma, Rivest and Engels [WSRE03] ◮ Each tag owns a secret key sk ID ; ◮ f is a pseudo-random function ; SearchID procedure : brute-force search ◮ Best case : 1 computation ◮ Average : n / 2 computations ◮ Worst case : n computations UCL Crypto Group Avoine - Coisel - Martin Time Measurement - RFIDSec 2010 12 Microelectronics Laboratory

  15. WSRE Protocol A time-attack on WSRE ◮ A creates 2 legitimate tags and affects them : t 1 and t 2 ◮ A calls Execute (t 1 ) and Execute (t 2 ) : ( π 1 , tr 1 ), ( π 2 , tr 2 ) ◮ A calls Timer ( π 1 ) and Timer ( π 2 ) : δ 1 and δ 2 ◮ A frees both tags, and reaffects only one of them : t 3 ◮ A calls Execute (t 3 ) : ( π 3 , tr 3 ) ◮ A calls Timer ( π 3 ) : δ 3 ◮ If δ 3 = δ 1 , then t 1 = t 3 , else t 2 = t 3 ⇒ Pr [ A → 1] = 1 UCL Crypto Group Avoine - Coisel - Martin Time Measurement - RFIDSec 2010 13 Microelectronics Laboratory

  16. WSRE Protocol A time-attack on WSRE ◮ A creates 2 legitimate tags and affects them : t 1 and t 2 ◮ A calls Execute (t 1 ) and Execute (t 2 ) : ( π 1 , tr 1 ), ( π 2 , tr 2 ) ◮ A calls Timer ( π 1 ) and Timer ( π 2 ) : δ 1 and δ 2 ◮ A frees both tags, and reaffects only one of them : t 3 ◮ A calls Execute (t 3 ) : ( π 3 , tr 3 ) ◮ A calls Timer ( π 3 ) : δ 3 ◮ If δ 3 = δ 1 , then t 1 = t 3 , else t 2 = t 3 ⇒ Pr [ A → 1] = 1 For the simulation, the output of Timer ( π 3 ) is guessed ⇒ Pr [ A Sim → 1] = 1 / 2 WSRE is NOT TIMEFUL-WEAK-private. UCL Crypto Group Avoine - Coisel - Martin Time Measurement - RFIDSec 2010 13 Microelectronics Laboratory

  17. Several Attacks Ohkubo, Suzuki and Kinoshita [OSK03] ◮ NARROW-FORWARD private ◮ Not TIMEFUL-WEAK private ◮ Desynchronisation helps to distinguish two tags Undesynchronizable schemes [D05, LBM07, CC08, ...] ◮ Only one possible desynchronization ◮ WEAK private ◮ Not TIMEFUL-WEAK private UCL Crypto Group Avoine - Coisel - Martin Time Measurement - RFIDSec 2010 14 Microelectronics Laboratory

  18. Outline 1 � Modelling Privacy 2 � Time-Attack on Some Existing Schemes 3 � Countermeasures 4 � Conclusion UCL Crypto Group Avoine - Coisel - Martin Time Measurement - RFIDSec 2010 15 Microelectronics Laboratory

  19. Presentation Major concern = SearchID procedure Example for WSRE ◮ Always waiting until the worst case ( n computations) ◮ “Always” applicable ◮ Not efficient ◮ Random SearchID instead of a linear one ◮ More efficient : n / 2 computations in average for each tag Countermeasures ◮ Not possible to link a time length to a tag ◮ Optimally : time length independent of n UCL Crypto Group Avoine - Coisel - Martin Time Measurement - RFIDSec 2010 16 Microelectronics Laboratory

  20. Undesynchronizable Schemes Tags can be desynchronized once ⇒ 2 possible keys per legitimate tag ◮ Worst case : 2 n computations (instead of n ) ◮ Random Search ◮ Synchronized tag : n / 2 computations ◮ Desynchronized tag : 3 n / 2 computations ⇒ A can distinguish 2 tags ◮ New Random Search ◮ Random among the whole set of keys (current and old/next ones) ◮ Average time for all tags : n computations UCL Crypto Group Avoine - Coisel - Martin Time Measurement - RFIDSec 2010 17 Microelectronics Laboratory

  21. Precomputation Solution No random values in OSK ⇒ Precomputation of “all” answers possible : n . m answers ◮ Balanced Binary Search ◮ SearchID efficient : O (log n ) ◮ really dynamic : tags can be added infinitely ◮ Rainbow Table [AO05,ADO05] ◮ Database size reduced ◮ Efficiency of SearchID depends on the time-memory trade-off ◮ But not dynamic ◮ But requires database update (instead of tag update) UCL Crypto Group Avoine - Coisel - Martin Time Measurement - RFIDSec 2010 18 Microelectronics Laboratory

  22. Outline 1 � Modelling Privacy 2 � Time-Attack on Some Existing Schemes 3 � Countermeasures 4 � Conclusion UCL Crypto Group Avoine - Coisel - Martin Time Measurement - RFIDSec 2010 19 Microelectronics Laboratory

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Interaction of RFID Technology and Public Policy Presentation at RFID Privacy Workshop @ MIT

Interaction of RFID Technology and Public Policy Presentation at RFID Privacy Workshop @ MIT

Interaction of RFID Technology and Public Policy Presentation at RFID Privacy Workshop @ MIT 15 TH November 2003 By Rakesh Kumar Wipro Technologies India Privacy Consumers Perspective Privacy can be defined as customers ability to

284 views • 17 slides
Privacy Protection privacy notions and metrics; privacy in RFID systems; location privacy in

Privacy Protection privacy notions and metrics; privacy in RFID systems; location privacy in

Privacy Protection privacy notions and metrics; privacy in RFID systems; location privacy in vehicular networks; Security and Cooperation in Wireless Networks Georg-August University Gttingen Chapter outline 1 Important privacy related

1.12k views • 33 slides
Privacy Challenges in RFID Gildas Avoine Information Security Group Universit e catholique de

Privacy Challenges in RFID Gildas Avoine Information Security Group Universit e catholique de

Privacy Challenges in RFID Gildas Avoine Information Security Group Universit e catholique de Louvain Belgium SUMMARY Background about RFID Privacy: Information Leakage Privacy: Malicious Traceability Is Privacy a Research Challenge?

343 views • 32 slides
Privacy in Wireless Networks privacy notions and metrics; privacy in RFID systems; location

Privacy in Wireless Networks privacy notions and metrics; privacy in RFID systems; location

Mobile Networks - Module H2 Privacy in Wireless Networks privacy notions and metrics; privacy in RFID systems; location privacy in vehicular networks; privacy preserving routing in ad hoc networks; Slides adapted from Security and

909 views • 55 slides
RFID Security and Privacy Gildas Avoine Information Security Group UCL Belgium February 2011,

RFID Security and Privacy Gildas Avoine Information Security Group UCL Belgium February 2011,

RFID Security and Privacy Gildas Avoine Information Security Group UCL Belgium February 2011, Corua, Spain RFID Primer RFID Primer Definition Radio frequency identification'' (RFID) means the use of electromagnetic radiating waves

729 views • 47 slides
RFID Security and Privacy Gildas Avoine Information Security Group UCL Belgium April 2011,

RFID Security and Privacy Gildas Avoine Information Security Group UCL Belgium April 2011,

RFID Security and Privacy Gildas Avoine Information Security Group UCL Belgium April 2011, Rennes, France Summary RFID Primer. Examples. Capabilities. Particularities. Authentication in RFID. Theory. Practical

934 views • 64 slides
29.09.2007 No Shortage of Public Fears RFID and Privacy The risk [RFID] poses to humanity

29.09.2007 No Shortage of Public Fears RFID and Privacy The risk [RFID] poses to humanity

29.09.2007 No Shortage of Public Fears RFID and Privacy The risk [RFID] poses to humanity is on Marc Langheinrich Institute for Pervasive Computing a par with nuclear weapons. Dr. Katherine Albrecht Katherine Albrecht,

315 views • 4 slides
A New Framework for RFID Privacy Robert H. Deng, Yingjiu Li, Moti Yung, Yunlei Zhao ESORICS 2010

A New Framework for RFID Privacy Robert H. Deng, Yingjiu Li, Moti Yung, Yunlei Zhao ESORICS 2010

A New Framework for RFID Privacy Robert H. Deng, Yingjiu Li, Moti Yung, Yunlei Zhao ESORICS 2010 Outline Introduction. Model of RFID Systems. Adaptive Completeness and Mutual Authentication. zk-Privacy: Formulation, Clarifications

456 views • 35 slides
Some Recent Development Some Recent Development in RFID Privacy Models Robert H. Deng School of

Some Recent Development Some Recent Development in RFID Privacy Models Robert H. Deng School of

Some Recent Development Some Recent Development in RFID Privacy Models Robert H. Deng School of Information Systems y Singapore Management University 2010/12/6 1 Introduction RFID tags are low-cost electronic devices, from which

547 views • 17 slides
The Blocker Tag: Selective Blocking of RFID Tags for Consumer Privacy Ari Juels Ron Rivest

The Blocker Tag: Selective Blocking of RFID Tags for Consumer Privacy Ari Juels Ron Rivest

The Blocker Tag: Selective Blocking of RFID Tags for Consumer Privacy Ari Juels Ron Rivest Mike Szydlo MIT CSAIL RSA Laboratories RSA Laboratories What is a R adio- F requency Id entification (RFID) tag? In terms of appearance Chip

678 views • 26 slides
Privacy and RFID Irreconcilable Differences? Marc Langheinrich Institute for Pervasive Computing

Privacy and RFID Irreconcilable Differences? Marc Langheinrich Institute for Pervasive Computing

T Labs Usability Colloquium June 25, 2007 Privacy and RFID Irreconcilable Differences? Marc Langheinrich Institute for Pervasive Computing ETH Zurich, Switzerland C.A.S.P.I.A.N. Consumers against supermarket privacy invasions and

451 views • 25 slides
RFID Technologies: Emerging Issues, Challenges, Policy Options A study by TNO and Telecom Italia

RFID Technologies: Emerging Issues, Challenges, Policy Options A study by TNO and Telecom Italia

RFID Technologies: Emerging Issues, Challenges, Policy Options A study by TNO and Telecom Italia for IPTS IFIP/FIDIS Summerschool Karlstad - 2007 Overview RFID Technologies RFID Markets RFID Privacy issues Conclusions 2

734 views • 19 slides
Privacy Challenges in RFID-Systems Marc Langheinrich ETH Zurich, Switzerland

Privacy Challenges in RFID-Systems Marc Langheinrich ETH Zurich, Switzerland

Privacy Challenges in RFID-Systems Marc Langheinrich ETH Zurich, Switzerland http://www.inf.ethz.ch/~langhein/ joint work with Chris Floerkemeier and Roland Schneider The Ubicomp Vision DIMACS WUPSS The most profound technologies are

177 views • 17 slides
15-213 The course that gives CMU its Zip! Time Measurement Time Measurement Oct. 24, 2002

15-213 The course that gives CMU its Zip! Time Measurement Time Measurement Oct. 24, 2002

15-213 The course that gives CMU its Zip! Time Measurement Time Measurement Oct. 24, 2002 Oct. 24, 2002 Topics Topics n Time scales n Interval counting n Cycle counters n K-best measurement scheme class18.ppt Computer Time Scales

576 views • 31 slides
Privacy October 2006 Overview I. Definition II. Basic Privacy Principles III. Privacy Issues

Privacy October 2006 Overview I. Definition II. Basic Privacy Principles III. Privacy Issues

Simone Fischer-Hbner Privacy October 2006 Overview I. Definition II. Basic Privacy Principles III. Privacy Issues (LBS, RFID,...) IV. European Privacy Legislation/ Directives I. Definition Warren &amp; Brandeis 1890 The right to

694 views • 30 slides
Insider attacks and RFID Privacy models Ton van Deursen and Saa Radomirovi c

Insider attacks and RFID Privacy models Ton van Deursen and Saa Radomirovi c

Insider attacks and RFID Privacy models Ton van Deursen and Saa Radomirovi c {ton.vandeursen, sasa.radomirovic}@uni.lu University of Luxembourg Financial support received from the Fonds National de la Recherche (Luxembourg) Ton van Deursen

144 views • 12 slides
Action Robust Reinforcement Learning and Applications in Continuous Control Chen Tessler *,

Action Robust Reinforcement Learning and Applications in Continuous Control Chen Tessler *,

Action Robust Reinforcement Learning and Applications in Continuous Control Chen Tessler *, Yonathan Efroni* and Shie Mannor *equal contribution Poster #272 Action Robust Reinforcement Learning and Applications in Continuous Control Robust MDPs

502 views • 8 slides
Dynamic Graph Algorithms Christian Wulff-Nilsen University of Copenhagen November 14 , 2019 1 /

Dynamic Graph Algorithms Christian Wulff-Nilsen University of Copenhagen November 14 , 2019 1 /

Dynamic Graph Algorithms Christian Wulff-Nilsen University of Copenhagen November 14 , 2019 1 / 21 Graph algorithms and data structures 2 / 21 Graph algorithms and data structures Graphs and graph problems are everywhere: 2 / 21 Graph

1.53k views • 110 slides
for Information Gathering with Adversarial Traffic Stefan Dobrev, Slovak Academy of Sciences,

for Information Gathering with Adversarial Traffic Stefan Dobrev, Slovak Academy of Sciences,

Optimal Local Buffer Management for Information Gathering with Adversarial Traffic Stefan Dobrev, Slovak Academy of Sciences, Slovakia Manuel Lafond, University of Ottawa, Canada Lata Narayanan, Concordia University, Canada Jaroslav Opatrny,

573 views • 55 slides
Quantum query complexity and the adversary bound Part II: Learning graphs Alexander Belov

Quantum query complexity and the adversary bound Part II: Learning graphs Alexander Belov

Quantum query complexity and the adversary bound Part II: Learning graphs Alexander Belov University of Latvia 22nd EWSCS, 5-10 March 2017, Palmse 1 / 35 Learning graphs Dual Adversary Certificate Structure Examples Idea Construction

639 views • 44 slides
masterclass 8 th October 2019 Claire Morrissey Senior Associate www.shoosmiths.co.uk Workshop 1

masterclass 8 th October 2019 Claire Morrissey Senior Associate www.shoosmiths.co.uk Workshop 1

IOSH Investigations masterclass 8 th October 2019 Claire Morrissey Senior Associate www.shoosmiths.co.uk Workshop 1 Being Interviewed by the HSE and the Police Who are Shoosmiths? What do we do? Purpose and format of the

528 views • 11 slides
An Overview of the Legislative Process November 18, 2019 6-7 p.m. EST 1 Speakers Hannah

An Overview of the Legislative Process November 18, 2019 6-7 p.m. EST 1 Speakers Hannah

An Overview of the Legislative Process November 18, 2019 6-7 p.m. EST 1 Speakers Hannah Bercot, RDN, CD Consumer Protection Coordinator, State Policy Specialist, &amp; State Policy Representative, Indiana Academy of Nutrition &amp; Dietetics

357 views • 20 slides
Introductions Talking about Health Equity Name Before you can know what to say about

Introductions Talking about Health Equity Name Before you can know what to say about

Berkeley Media Studies Group Public Health Alliance of Southern California Los Angeles July 27, 2018 Communicating about the Healthy Research on news coverage of public Places Index to Further Health health issues Equity Media

61 views • 5 slides
Abstracts Instructions for Title, Category and Presentation Preference Add Title Although there

Abstracts Instructions for Title, Category and Presentation Preference Add Title Although there

ATS 2016 Call for Late-Breaking Abstracts Instructions for Title, Category and Presentation Preference Add Title Although there are limitations to the text formatting of the abstract title, submitters can still include the following by using

333 views • 19 slides

More recommend